𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗻𝗴 𝗮 𝗪𝗲𝗯𝗵𝗼𝗼𝗸 𝗜𝘀𝗻'𝘁 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗻𝗴 𝗜𝘁
Many developers ship a dangerous bug to production. They confuse authentication with validation.
Authentication means the message came from the right provider. Validation means the data inside the message is correct.
If you only do the first step, you lose money.
A recent WordPress vulnerability (CVE-2026-9189) shows this error. The Contact Form 7 PayPal and Stripe Add-on failed to check payment amounts.
Here is how an attacker exploits this:
- An attacker creates a $2,000 order.
- The attacker makes a real $1 payment.
- They set the invoice number to match the $2,000 order.
- PayPal sends a real, verified notification for the $1 payment.
- The plugin sees the verified message and marks the $2,000 order as paid.
The plugin trusted the messenger but ignored the message.
Do not make this mistake. When you handle webhooks, follow these steps:
- Authenticate the message using signatures or shared secrets.
- Match the amount and currency to the order in your database.
- Verify the recipient email matches your account.
- Use a server-side value to link the order. Do not trust an invoice ID sent in the payload alone.
- Use idempotency to ignore duplicate transaction IDs.
- Keep TLS verification active for all requests.
- Fail closed. If any check fails, stop everything.
If you use the Contact Form 7 PayPal and Stripe Add-on version 2.4.9 or older, update it now. Every unpaid order is a target for this exploit.
Always authenticate the messenger, then check the data.